Mobile Threat Monday: Malicious Banking Apps and Crafty Copycats

This week, we look at two threats affecting Android users. The first is a malicious banking app which swipes your personal info—including your banking login. The second is a repackaged "copycat" app with nasty surprises.

This site may earn affiliate commissions from the links on this page. Terms of use.

This week, we look at two nasty apps that are causing problems for Android users in Asia-Pacific countries. While we often talk about Eastern Europe as a haven for scammers and hackers, the popularity of third-party app stores in Asian countries has proved advantageous for attackers. This week we look at two: a nasty banking Trojan, and a copycat app.

HanaN Bank Security company F-Secure tipped us to a banking Trojan targeting South Korean customers. Posing as Hana Bank's official banking app, this gives scammers access to a wealth of personal information. Unfortunately, the origins of this app aren't clear but F-Secure hypothesizes that it might have sprung from SMS spam campaigns in Korea.

F-Secure explained that once it's installed, the app "steals certificates stored in NPKI folder, zips them then uploads it to a remote server." Korean financial firms often use these certificates for financial transactions.

Along with the certificates, the app also goes after device information, phone number, your account name, your account number, your password, your SMS messages, and a host of other user-specific information relevant to bank fraud. It's possible that with the app's access to SMS messages, it could be used to sidestep two-factor authentication, like the Zitmo.b banking Trojan.

In short, it's a one-stop-shop for everything a scammer needs to part you from your money (or your identity). F-Secure says that this banking Trojan, called FakeKRBank, is in the same family as those that have attacked Shinhan Bank, Woori Bank, and Kookmin Bank.

While this particular Trojan is fairly targeted, there are others that are far broader in scope. Regardless of where you bank, the best defense against Trojans is the same: Only download apps from trusted sources. Also, make sure that your Android security settings are set to not allow installations from sources other than Google Play.

Careful readers will remember that creating a Trojanized Android app is remarkably simple.

Phony NetDragon Update We talked about so-called copycat apps last week, and this week's tip from NQ mobile is an object lesson in how they can harm users. For those who missed it last week, copycat apps are Trojanized versions of legitimate applications with minor changes. Sometimes so minor, they slip through to the Google Play store. Because app files are so easy to disassemble, scammers can insert info-stealing code or just aggressive ad networks, and rake in easy money from people looking for free versions of popular apps.

The nasty app has been identified as a.frau.longjian.a and is disguised as an update to the NetDragon 91 Assistant app. "When the user chooses to update with this fraudulent app, it automatically downloads other repackaged apps in the background that consume the user's data," wrote NQ Mobile.

Once installed, the app uses premium SMS messages that charge users extra fees on their wireless bills. Think of those fundraisers where you send a special text message and $10 is donated to the Red Cross or This American life, but used for evil. The app can also capture user data like your phone number as well as IMEI and IMSI device identifiers.

NQ Mobile reports 193 infected devices across China, Angola, Hong Kong, Iraq, Macao, Malaysia, Singapore, Taiwan, and Vietnam. Attacks that rely on premium SMS codes to make money are generally targeted by region, since certain short codes only work in certain countries.

Spotting copycat apps can be tricky, since they use the name and trust of legitimate apps to sneak past even scrupulous users. If you see a free version, update, or add-on that is separate from a legitimate app, make sure they're made by the same developer. Also, never follow links to download apps from SMS messages, and avoid sideloading apps onto your device.

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can follow him on...
More »